2. Information security aka. InfoSec
● Information security, sometimes shortened to InfoSec, is
the practice of Defending information from unauthorized
access, use, disclosure, disruption, modification,
perusal, inspection, recording or destruction.
It is a general term that can be used regardless of the form
the data may take (electronic, physical, etc.)
3. Defending? Defend from who?
● Competitor
– BMW vs Toyota
– P.R.C. vs U.S.A.
– Huawei vs CISCO
● Black Hat Hackers
– IT Specialists who are mostly hired by
Organized/Unorganized criminals.
4. Who is the target though?
● Governments
– Oh, you've got some economical plans? Let us have a look ;)
● Military
– New artillery shell? New machine gun?
● Corporations
– You've got some products? We(Attackers) may want to damage
it or maybe make a copy.
● Financial Institutions
– Mr.X is a rich guy, let's see how many “Franklins” he has in his
account.
5. Key Concepts of InfoSec
● CIA! not FBI, nor NSA!
– Confidentiality
– Integrity
● This means that data cannot be modified in an
unauthorized or undetected manner.
– Availability
● The system and the resources should works properly
and be available.
6. How to make it secure then?
No way, you can not ;)
In the best case, you can reduce the
damage and the causality of a data
breach.
But wait... I think I've got some hints for
that.
7. Logical vs Physical
First we decide it by logic, then we apply it by physic :D
Logical: Least Privileges
Do we really need to run the Firefox as administrator?
Physical: Separation of Duties
A web developer doesn't need the root password of the
server.
8. Who DID it?
● Who was wise and well
informed!
Defense In Depth
is the most effective
method of defense.
9. Access Control
● Access to protected information must be restricted to people
who are authorized to access the information.
● Access control is generally considered in three steps:
– Identification
● Who are you? Are you really Dean Davis?
– Authentication
● How can you prove that? Any driver's license?
– Authorization
● Okay Mr.Davis but wait...
You are a Programmer, not a Network Administrator!
10. Cryptography
● Information security uses cryptography to transform usable
information into a form that renders it unusable by anyone
other than an authorized user.
● What about Encryption? It was the exact definition of the
Encryption and for doing it, we use the Cryptography
techniques.
Hello → J$$$qpys (Encryption)
J$$$qpys → Hello (Decryption)